2017-10-03 - JAPANESE MALSPAM PUSHING URSNIF

ASSOCIATED FILES:

  • 2017-10-03-Japanese-malspam-pushing-Ursnif.pcap   (550,394 bytes)
  • 2017-10-03-Excel-spreadsheet-from-1st-wave-pushing-Ursnif.xls   (45,568 bytes)
  • 2017-10-03-Excel-spreadsheet-from-2nd-wave-pushing-Ursnif.xls   (71,680 bytes)
  • 2017-10-03-Japanese-malspam-for-Ursnif-0813-UTC.eml   (63,890 bytes)
  • 2017-10-03-Japanese-malspam-for-Ursnif-0815-UTC.eml   (63,980 bytes)
  • 2017-10-03-Japanese-malspam-for-Ursnif-0818-UTC.eml   (64,049 bytes)
  • 2017-10-03-Japanese-malspam-for-Ursnif-0923-UTC.eml   (1,748 bytes)
  • 2017-10-03-Japanese-malspam-for-Ursnif-0926-UTC.eml   (1,693 bytes)
  • 2017-10-03-Japanese-malspam-for-Ursnif-0930-UTC.eml   (98,935 bytes)
  • 2017-10-03-Japanese-malspam-for-Ursnif-0939-UTC.eml   (98,822 bytes)
  • 2017-10-03-Ursnif-binary-from-nonudoka.top.exe   (483,328 bytes)

 

NOTES:

 

EMAILS


Shown above:  Screenshot from one of the emails (1st wave).

 


Shown above:  Screenshot from one of the emails (2nd wave).

 

INFORMATION FROM EMAILS GATHERED:

 


Shown above:  One of the Excel spreadsheets (1st wave).

 


Shown above:  One of the Excel spreadsheets (2nd wave).

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark (only DNS queryies and SYN packets for post-infection activity).

 


Shown above:  Screenshot of Fiddler capture when @tmmalanalyst checked it out earlier (link to tweet).

 

ASSOCIATED DOMAINS:

POST-INFECTION TRAFFIC:

 

FILE HASHES

EMAIL ATTACHMENT - 1ST WAVE:

EMAIL ATTACHMENT - 2ND WAVE:

FOLLOW-UP MALWARE - URSNIF:


Shown above:  Malware persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.